topic Re: R81.20 JHF 89 SAML Forced Re-authentication in Firewall and Security Management

R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Thu, 07 Nov 2024 13:15:28 GMT

Hi all,

Has anyone figured out how to enable this function: Identity Awareness(SAML): Forced Re-authentication, which requires mandatory login for each session?

Previously, I followed the instructions described in sk180948.

Best regards,

Alex

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Thu, 07 Nov 2024 14:48:17 GMT

Im fairly positive there is a feature on Azure portal you need to enable to make this work. Let me talk to one of my coleagues, Im sure he will know what it is.

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Thu, 07 Nov 2024 14:51:30 GMT

@Alex2023

I believe this is what you need to follow, but will verify.

Andy

https://learn.microsoft.com/en-us/entra/identity/saas-apps/check-point-remote-access-vpn-tutorial

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Thu, 07 Nov 2024 15:12:39 GMT

Hi @the_rock ,

thank you for your message. I set up the Azure authorization according to that guide, and everything is working perfectly. However, I can’t find a function in Azure that would enforce authentication each time a client connects.

I used sk180948 to implement persistent authentication. I was hoping there might now be an option in Check Point to handle this without manually editing the config file.

Alex

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Thu, 07 Nov 2024 15:26:06 GMT

This option likely pertains to Conditional Access Policies in Office365. See more here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#require-reauthentication-every-time

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Thu, 07 Nov 2024 15:27:53 GMT

Yep, thats it!

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Fri, 08 Nov 2024 08:34:40 GMT

Hi @the_rock ,

Simply activating this function in the Conditional Policy didn’t change anything. The MS documentation includes the following: 'Sign-in frequency set to every time works best when the resource has the logic of when a client should get a new token.'

It seems to me that some configuration change might also be needed on the Check Point side. Is there anyone we could ask about this?

Alex

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Fri, 08 Nov 2024 12:08:30 GMT

Thats the same link my collegue sent me as well, sorry. Im not aware of anything else. Maybe you can double check with TAC or lets see if someone else may know.

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Fri, 08 Nov 2024 12:09:34 GMT

After a few hours, it started working better. Authentication is requested if the last session was more than 5 minutes ago.

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Fri, 08 Nov 2024 12:10:49 GMT

Maybe just took some time...

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Fri, 08 Nov 2024 12:12:10 GMT

Agreed, Microsoft always requires some time.

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Fri, 08 Nov 2024 12:15:18 GMT

I wish that were only true for Microsoft lol

Anyway, is it working for all users now?

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

Alex2023 — Fri, 08 Nov 2024 12:17:42 GMT

Yes, this works for everyone who falls under this Conditional Policy.

Alex

Re: R81.20 JHF 89 SAML Forced Re-authentication

PhoneBoy — Fri, 08 Nov 2024 15:32:05 GMT

I diffed the relevant file in R81.20 JHF 89 versus a fresh install of R81.20.
There is one line added to the file that didn't exist before:

'ForceAuthn' => ( ( IsForceAuthnOverride((string)$realm_name) || (property_exists($realm, "ForceAuthn") && ($realm->ForceAuthn === true))) ? true : false ),

Not exactly sure where it is reading this property from, though.
I'll see if I can get more information.

Re: R81.20 JHF 89 SAML Forced Re-authentication

Ben_Dunkley — Fri, 22 Nov 2024 15:19:52 GMT

It would be nice if there was at least an sk for those new SAML features (Request Signing, Assertion Decryption and Forced Re-authentication).

SAML for remote access vpn broke for us on upgrade to take89, and we ended up reverting and installing take84 instead.

We were assuming it was related to those new features, but struggled to find any information about them.

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Fri, 22 Nov 2024 20:14:38 GMT

Yup, I see same thing on jumbo 90 as well, that exact line.

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Fri, 22 Nov 2024 20:15:12 GMT

I actually gave feedback for the sk, lets hope they made a modification.

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

PhoneBoy — Fri, 22 Nov 2024 21:19:55 GMT

sk180948 is where the existing "ForceAuthn = true" modification is documented.
I left feedback on this SK and it appears R&D plans to update this with the relevant information.

Re: R81.20 JHF 89 SAML Forced Re-authentication

the_rock — Sun, 24 Nov 2024 21:04:07 GMT

I got an email today about the sk being modified and when I checked it, it indeed was.

Andy

Re: R81.20 JHF 89 SAML Forced Re-authentication

PhoneBoy — Mon, 25 Nov 2024 14:32:39 GMT

It looks like an additional modification to the file needs to be made for R82 and R81.20 JHF 89 (If I'm understanding the SK correctly).